Closed
Bug 656132
Opened 14 years ago
Closed 14 years ago
TI: Crash [@ JSString::length]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 655998
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(1 file)
|
(deleted),
application/x-compressed-tar
|
Details |
The attached testcase crashes on TI revision 015bd3ff1be6 (run main.js with -m -n -a),
tested on 64 bit.
Backtrace:
==5756== Invalid read of size 8
==5756== at 0x413C9E: JSString::length() const (jsstr.h:250)
==5756== by 0x51EBE3: js::StringObject::setStringThis(JSString*) (StringObject.h:83)
==5756== by 0x51F7EA: js::StringObject::init(JSContext*, JSString*) (jsscopeinlines.h:158)
==5756== by 0x51FC9B: js::StringObject::create(JSContext*, JSString*) (StringObject-inl.h:62)
==5756== by 0x519797: PrimitiveToObject(JSContext*, js::Value const&) (jsobj.cpp:6596)
==5756== by 0x5198EE: js_ValueToObjectOrNull(JSContext*, js::Value const&, JSObject**) (jsobj.cpp:6629)
==5756== by 0x519A3C: js_ValueToNonNullObject(JSContext*, js::Value const&) (jsobj.cpp:6665)
==5756== by 0x78C8CA: js::mjit::ValueToObject(JSContext*, js::Value*) (StubCalls-inl.h:62)
==5756== by 0x78EDD7: MonitorArithmeticOverflow(js::VMFrame&, js::Value const&) (StubCalls.cpp:1084)
==5756== by 0x78F526: js::mjit::stubs::Sub(js::VMFrame&) (StubCalls.cpp:1183)
==5756== by 0x41B1449: ???
==5756== by 0x6909D1: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, js::Value*) (MethodJIT.cpp:842)
==5756== Address 0x1c4002 is not stack'd, malloc'd or (recently) free'd
==5756==
==5756==
==5756== Process terminating with default action of signal 11 (SIGSEGV)
|
||
Updated•14 years ago
|
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
|
||
Updated•13 years ago
|
Crash Signature: [@ JSString::length]
You need to log in
before you can comment on or make changes to this bug.
Description
•